Connecting to a mqtt over tls not working

Hi all,

I’ve created a eclipse-mosquitto mqtt server and configured it to connect over TLS.
I tried with a local client and it works perfectly.

I’ve also added the ca certificate to the configuration.yaml for ha:

  certificate: /config/certificates/letsencrypt_ca.crt

But the mosquitto logs the following:

1663433635: New connection from on port 1884.
1663433635: OpenSSL Error[0]: error:1403F3F2:SSL routines:ACCEPT_SR_FINISHED:sslv3 alert unexpected message
1663433635: Client <unknown> disconnected: Protocol error.
1663433638: New connection from on port 1884.
1663433638: OpenSSL Error[0]: error:02FFF020:system library:func(4095):Broken pipe
1663433638: Client <unknown> disconnected: Protocol error.

So it looks like ha isn’t connecting with tls 1.2? Any ideas?

Is 1884 the right port? Usually 1883 and 1884 are used for unencrypted communication and 8883 and 8884 are used for encrypted communication with the broker.

I’ve overwritten the default. This is my config. I’m sure I’m using TLS :wink:

persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log

per_listener_settings true

listener 1884
allow_anonymous false
password_file /mosquitto/config/password.txt
certfile /mosquitto/cert/tls.crt
keyfile /mosquitto/cert/tls.key
cafile /mosquitto/data/ca_letsencrypt.crt

Just to check the obvious one, the CN on the cert matches the domain you’re using to connect to the broker right? When you connected with a local client you didn’t have to turn off certificate validation right?

Are you requiring clients present a client certificate to connect (mTLS)? This option is to specify the CA cert that client certificates must be issued by in order to connect. If you are using client certificates then you need to add that to your HA config. If not then you should remove this.

Yes and yes, but I could delete the ca file from my mosquitto config. So I still don’t understand why it doesn’t work.